Cloudflare Vulnerability Disclosure Policy

We take security, trust, and transparency seriously. Cloudflare appreciates the work of security researchers and has developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your effort to make the Internet a better place. This policy provides our guidelines for reporting vulnerabilities to Cloudflare.

If you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare’s Vulnerability Disclosure Policy and HackerOne’s Disclosure Guidelines and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.


Any web properties owned by Cloudflare are in scope for the program. Including:

  • *

Cloudflare customer sites are out of scope for our Vulnerability Disclosure program.

If you are a customer and have a password or account issue, please contact Cloudflare support. For abuse issues or law enforcement inquiries, please review our abuse policy.

Eligibility and Disclosure

In order for your submission to be eligible:

  • You must agree to our Vulnerability Disclosure Policy.
  • You must be the first person to responsibly disclose an unknown issue.

All legitimate reports will be reviewed and assessed by Cloudflare’s security team to determine if it is eligible.

As mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract, individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13.


The following conditions are out of scope for the vulnerability disclosure program. Any of the activities below will result in disqualification from the program permanently.

  • Physical attacks against Cloudflare employees, offices, and data centers.
  • Social engineering of Cloudflare employees, contractors, vendors, or service providers.
  • Knowingly posting, transmitting, uploading, linking to, or sending any malware.
  • Pursuing vulnerabilities which send unsolicited bulk messages (spam) or unauthorized messages.
  • Any vulnerability obtained through the compromise of a Cloudflare customer or employee accounts. If you need to test a vulnerability, please create a free account.
  • Being an individual on, or residing in any country on, any U.S. sanctions lists.

Cloudflare uses the HackerOne platform for all vulnerability submissions. We agree with their disclosure philosophy, and if you do too, please submit your vulnerability reports here.

Submit a report